chef - [chef] Re: Re: Open Source Chef: server as workstation in dmz

First login ?
Lost password ?

Subscribers: 1946
Owners
Bryan McLellan
Joshua Timberman
Nathen Harvey
Seth Chisamore
Serdar Sutay

Subscribe
Unsubscribe
Info
Archive

Post

RSS
Shared documents

General discussion about Chef

[chef] Re: Re: Open Source Chef: server as workstation in dmz

From: Ranjib Dey < >
To: " " < >
Subject: [chef] Re: Re: Open Source Chef: server as workstation in dmz
Date: Tue, 17 Jun 2014 23:26:38 -0700

chef server uses nginx for ssl termination, config can be found here:

/var/opt/chef-server/nginx/etc/chef_https_lb.conf

you can tune nginx to use different certs and ip using different names (one for internal, one for external). when you trigger bootstrap, make sure you use the knife config with external name for bootstrap and another config with the internal name for cookbook upload..etc..

note. afaik, these configs are generated by chef-server-ctl, and will be overwritten if you invoke chef-server-ctl reconfigure.

On Tue, Jun 17, 2014 at 10:12 PM, Daniel DeLeo < " target="_blank"> > wrote:

On Monday, June 16, 2014 at 6:25 AM, "> wrote:

>
> Hello community,
>
> I'm quite new to chef and I have to set up a chef server and now I am totally
> stuck. I hope I can find some help here because I found nothing about my
> problem in the documentation and I'm working on this since 3 weeks :(
>
> First of all the describtion of the situation:
>
> The server resides in the dmz subnet of the office lan (as a vm, Ubuntu 14.04).
> It has a private IP (192.168.0.2) and local name/fqdn (chef.dmz.loc). From the

> internet the server is accessible via an external FQDN and IP (example.com (http://example.com),

> 93.184.216.119) by the appropriate firewall rules/port-forwarding.
>
> It is also used as workstation and a special user account (chefdev) is
> designated to create, modify and upload cookbooks as well as bootstrap nodes.
> This setup (dmz, special account, server = workstation) can be seen as
> constraints.
>
> The problem is that I either can't upload cookbooks or I can't bootstrap nodes.
> If I configure everything for the local FQDN it's possible to upload cookboks,
> but bootstrapping nodes does not work because from the internet the local name
> is not resolveable (of course!). If I configure the server for it's external IP
> I can't upload cookbooks because of ssl handshake failure.
>
> Is there any solution for this under the constraints mentioned above? Thanks in
> advance.
>
> Below are some configurations and error messages which might be neede for you
> to help me. If you need some more, please tell me.
>
> configuration (ext. IP): http://pastebin.com/3uwMYutz
>
> error messages
> knife: http://pastebin.com/gAfsYiej
> erchef: http://pastebin.com/Rc5UDvj4

The most general solution is to use an SSL certificate with a SubjectAltName field that contains both the FQDN and the IP address.

You could also use split-horizon DNS or configure the chef-server’s hostname in your etc/hosts.

The least good solution is to disable SSL certificate verification for hosts on the local network.

--
Daniel DeLeo

[chef] Open Source Chef: server as workstation in dmz, chefsrv, 06/16/2014
- [chef] Re: Open Source Chef: server as workstation in dmz, Daniel DeLeo, 06/17/2014
  - [chef] Re: Re: Open Source Chef: server as workstation in dmz, Ranjib Dey, 06/17/2014
  - [chef] Re: Re: Open Source Chef: server as workstation in dmz, Indra k, 06/18/2014